{{- define "chrony_resources" }}
cpu: 10m
memory: 25Mi
{{- end }}

{{ $ntpServers := list }}
{{- range $value := .Values.chrony.ntpServers }}
  {{- if regexMatch "(?:[0-9]{1,3}\\.){3}[0-9]{1,3}$" $value }}
    {{ $ntpServers = append $ntpServers $value }}
  {{ else }}
    {{ $ntpServers = append $ntpServers (printf "%s." ($value | trimSuffix ".")) }}
  {{- end }}
{{ end }}

{{- if (.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
---
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
  name: chrony
  namespace: d8-{{ .Chart.Name }}
  {{- include "helm_lib_module_labels" (list . (dict "app" "chrony" "tier" "node" "workload-resource-policy.deckhouse.io" "every-node")) | nindent 2 }}
spec:
  targetRef:
    apiVersion: "apps/v1"
    kind: DaemonSet
    name: chrony
  updatePolicy:
    updateMode: "Auto"
  resourcePolicy:
    containerPolicies:
    - containerName: "chrony"
      minAllowed:
        {{- include "chrony_resources" . | nindent 8 }}
      maxAllowed:
        cpu: 25m
        memory: 50Mi
---
apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
  name: chrony-master
  namespace: d8-{{ .Chart.Name }}
  {{- include "helm_lib_module_labels" (list . (dict "app" "chrony" "tier" "node" "workload-resource-policy.deckhouse.io" "master")) | nindent 2 }}
spec:
  targetRef:
    apiVersion: "apps/v1"
    kind: DaemonSet
    name: chrony-master
  updatePolicy:
    updateMode: "Auto"
  resourcePolicy:
    containerPolicies:
    - containerName: "chrony"
      minAllowed:
        {{- include "chrony_resources" . | nindent 8 }}
      maxAllowed:
        cpu: 25m
        memory: 50Mi
{{- end }}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: chrony
  namespace: d8-{{ .Chart.Name }}
  {{- include "helm_lib_module_labels" (list . (dict "app" "chrony")) | nindent 2 }}
spec:
  updateStrategy:
    type: RollingUpdate
  selector:
    matchLabels:
      app: chrony
  template:
    metadata:
      labels:
        tier: node
        app: chrony
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: node.deckhouse.io/group
                operator: NotIn
                values:
                - master
      dnsPolicy: ClusterFirstWithHostNet
      hostNetwork: true
      imagePullSecrets:
      - name: deckhouse-registry
      {{- include "helm_lib_priority_class" (tuple . "cluster-medium") | nindent 6 }}
      {{- include "helm_lib_tolerations" (tuple . "any-node") | nindent 6 }}
      {{- include "helm_lib_module_pod_security_context_run_as_user_deckhouse" . | nindent 6 }}
      containers:
      - name: chrony
        securityContext:
          allowPrivilegeEscalation: true
          capabilities:
            add:
            - SYS_TIME
            - CHOWN
            - DAC_OVERRIDE
            - FOWNER
            - FSETID
            - KILL
            - SETGID
            - SETUID
            - SETPCAP
            - NET_BIND_SERVICE
            - NET_RAW
            - SYS_CHROOT
            - MKNOD
            - AUDIT_WRITE
            - SETFCAP
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsGroup: 0
          runAsNonRoot: false
          runAsUser: 0
        image: {{ include "helm_lib_module_image" (list . "chrony") }}
        env:
        - name: PATH
          value: /opt/chrony-static/bin
        - name: NTP_ROLE
          value: sink
        - name: NTP_SERVERS
          value: {{ join " " $ntpServers | quote }}
        - name: CHRONY_MASTERS_SERVICE
          value: {{ printf "chrony-masters.d8-%s.svc.%s" .Chart.Name .Values.global.clusterConfiguration.clusterDomain | quote }}
        - name: HOST_IP
          valueFrom:
            fieldRef:
              fieldPath: status.hostIP
        ports:
        - name: ntp
          containerPort: 123
          protocol: UDP
        livenessProbe:
          exec:
            command:
            - /opt/chrony-static/bin/chronyc
            - tracking
          initialDelaySeconds: 30
          periodSeconds: 60
          timeoutSeconds: 15
        volumeMounts:
        - name: tz-config
          mountPath: /etc/localtime
          readOnly: true
        - name: tzdata-config
          mountPath: /etc/timezone
          readOnly: true
        - name: chrony
          mountPath: /var/run/chrony
        - name: config
          mountPath: /var/run/chrony/chrony.conf.tpl
          subPath: chrony.conf.tpl
        resources:
          requests:
            {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }}
  {{- if not (.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
            {{- include "chrony_resources" . | nindent 12 }}
  {{- end }}
      volumes:
      - name: tz-config
        hostPath:
          path: /etc/localtime
      - name: tzdata-config
        hostPath:
          path: /etc/timezone
      - name: chrony
        emptyDir: {}
      - name: config
        configMap:
          name: chrony
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: chrony-master
  namespace: d8-{{ .Chart.Name }}
  {{- include "helm_lib_module_labels" (list . (dict "app" "chrony")) | nindent 2 }}
spec:
  updateStrategy:
    type: RollingUpdate
  selector:
    matchLabels:
      app: chrony-master
  template:
    metadata:
      labels:
        tier: node
        app: chrony-master
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: node.deckhouse.io/group
                operator: In
                values:
                - master
      dnsPolicy: ClusterFirstWithHostNet
      hostNetwork: true
      imagePullSecrets:
      - name: deckhouse-registry
      {{- include "helm_lib_priority_class" (tuple . "cluster-medium") | nindent 6 }}
      {{- include "helm_lib_tolerations" (tuple . "any-node") | nindent 6 }}
      {{- include "helm_lib_module_pod_security_context_run_as_user_deckhouse" . | nindent 6 }}
      containers:
      - name: chrony
        securityContext:
          allowPrivilegeEscalation: true
          capabilities:
            add:
            - SYS_TIME
            - CHOWN
            - DAC_OVERRIDE
            - FOWNER
            - FSETID
            - KILL
            - SETGID
            - SETUID
            - SETPCAP
            - NET_BIND_SERVICE
            - NET_RAW
            - SYS_CHROOT
            - MKNOD
            - AUDIT_WRITE
            - SETFCAP
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsGroup: 0
          runAsNonRoot: false
          runAsUser: 0
        image: {{ include "helm_lib_module_image" (list . "chrony") }}
        env:
        - name: PATH
          value: /opt/chrony-static/bin
        - name: NTP_ROLE
          value: source
        - name: NTP_SERVERS
          value: {{ join " " $ntpServers | quote }}
        - name: HOST_IP
          valueFrom:
            fieldRef:
              fieldPath: status.hostIP
        ports:
        - name: ntp
          containerPort: 123
          protocol: UDP
        livenessProbe:
          exec:
            command:
            - /opt/chrony-static/bin/chronyc
            - tracking
          initialDelaySeconds: 30
          periodSeconds: 60
          timeoutSeconds: 15
        volumeMounts:
        - name: tz-config
          mountPath: /etc/localtime
          readOnly: true
        - name: tzdata-config
          mountPath: /etc/timezone
          readOnly: true
        - name: chrony
          mountPath: /var/run/chrony
        - name: config
          mountPath: /var/run/chrony/chrony.conf.tpl
          subPath: chrony.conf.tpl
        resources:
          requests:
            {{- include "helm_lib_module_ephemeral_storage_logs_with_extra" 10 | nindent 12 }}
  {{- if not (.Values.global.enabledModules | has "vertical-pod-autoscaler-crd") }}
            {{- include "chrony_resources" . | nindent 12 }}
  {{- end }}
      volumes:
      - name: tz-config
        hostPath:
          path: /etc/localtime
      - name: tzdata-config
        hostPath:
          path: /etc/timezone
      - name: chrony
        emptyDir: {}
      - name: config
        configMap:
          name: chrony

